Hong Kong PDPO Compliance
Hong Kong's Personal Data (Privacy) Ordinance (PDPO) requires data users to safeguard personal data with all practicable security steps.Learn how ImmuniWeb helps you meet Data Protection Principle 4.
Conformité à l’ordonnance de Hong Kong sur la protection des données personnelles (PDPO)
What Is the Hong Kong PDPO?
The PDPO governs how organizations collect, hold, process and use personal data. Its six Data Protection Principles cover collection purpose and means, accuracy and retention, use, security, openness, and data subject access and correction.
It applies to 'data users' who control the collection, holding, processing or use of personal data. The PCPD investigates complaints, issues enforcement notices and guidance, and the 2021 amendments introduced criminal offences targeting doxxing.
See how ImmuniWeb helps you meet PDPO Data Protection Principle 4- the security of the personal data your web and mobile apps hold. Request a demo· or run a free Community Edition test.
Who Must Comply with PDPO?
The PDPO applies to:
- Data users (public or private) that control the collection, holding, processing or use of personal data in or from Hong Kong.
- Organizations of any size and sector handling personal data of individuals.
- Data processors engaged by data users, who remain responsible for their processors' security.
Any organization running web and mobile applications that hold personal data must take all practicable steps to secure them under DPP4.
Exigences clés du PDPO pour la sécurité des applications
Application security sits under Data Protection Principle 4:
- DPP4 - Sécurité des données à caractère personnel: prendre toutes les mesures praticables pour protéger les données à caractère personnel contre tout accès, traitement, effacement, perte ou utilisation non autorisé ou accidentel.
- Risk-based considerations: the sensitivity of the data, the harm a breach could cause, where the data is stored, and the security measures applied to systems and transmission.
- Data breach handling: the PCPD recommends prompt breach handling and notification in line with its guidance.
PDPO Security Requirements in Depth
DPP4 - Security of Personal Data
DPP4 requires data users to take 'all practicable steps' to keep personal data secure. For internet-facing systems that means testing the web and mobile applications, APIs and infrastructure that hold personal data for vulnerabilities, and remediating what is found - before and after significant changes.
Data Breach Handling
While breach notification has historically been recommended rather than mandatory, the PCPD's guidance expects prompt handling and notification. Reducing breach likelihood through regular application testing is the most effective way to stay ahead of these expectations.
Risques courants des applications Web et mobiles à remédier
Personal-data breaches frequently start with vulnerable web and mobile applications. The risks DPP4 expects you to address map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Échecs cryptographiques — chiffrement faible ou absent exposant des données sensibles.
- Injection — Injection SQL, de commande ou autre via des entrées non validées.
- Insecure Design — contrôles de sécurité manquants par conception, pas seulement à cause d'un bug.
- Mauvaise configuration de sécurité — configuration par défaut, incomplète ou non sécurisée.
- Composants vulnérables et obsolètes — bibliothèques et frameworks non patchés.
- Identification & Authentication Failures — weak login, session or credential handling.
- Échecs d'intégrité des logiciels et des données — mises à jour non fiables, pipelines CI/CD non sécurisés.
- Échecs de journalisation et de surveillance de la sécurité — les attaques passent inaperçues.
- Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Approach PDPO Application Security with ImmuniWeb
- Map your exposure. Inventory internet-facing apps and assets with ImmuniWeb Discovery.
- Test web applications with On-Demand (penetration testing) and Neuron (scanning).
- Testez les applications mobiles avec MobileSuite et Neuron Mobile.
- Remediate and retest with actionable, zero-false-positive reports - evidence of 'all practicable steps'.
- Keep testing continuously with Continuous in CI/CD and periodic re-testing.
- Monitor for leaks with Discovery dark-web monitoring.
How ImmuniWeb Helps You Achieve PDPO Compliance
ImmuniWeb helps data users take and evidence the 'all practicable steps' that DPP4 requires.
| Exigence | Ce que cela nécessite | Produits ImmuniWeb |
|---|---|---|
| DPP4 | Take all practicable steps to secure personal data. | On-Demand, Neuron, Discovery, Continuous |
| Applications et données | Secure web/mobile apps holding personal data. | On-Demand, Neuron, MobileSuite, Neuron Mobile |
| Breach readiness | Detect exposure and leaked data; keep attack surface mapped. | Discovery (ASM / Dark Web) |
ImmuniWeb On-Demand et MobileSuite proposent des tests d’intrusion Web et mobiles ; Neuron et Neuron Mobile fournissent des balayages automatisés ; Continuous intègre les tests dans le CI/CD ; et Discovery cartographie votre surface d’attaque et surveille le Dark Web pour les données personnelles divulguées.
PDPO vs International Frameworks
Si vous respectez déjà des normes internationales, les mêmes tests ImmuniWeb les couvrent toutes:
| Framework | Perspective sécurité des applications | Comment ImmuniWeb s'aligne |
|---|---|---|
| Hong Kong PDPO | DPP4 security of personal data | Tests d’intrusion Web/mobile, analyse, ASM, surveillance du Dark Web |
| Singapore PDPA | Section 24: Obligation de protection | Les mêmes tests couvrent les deux |
| RGPD | Article 32 sécurité du traitement | Les mêmes tests couvrent les deux |
| ISO/IEC 27001 | Annexe A: contrôles techniques | Tests comme preuve de contrôle |
Tests d'intrusion vs scans de sécurité
Les deux sont nécessaires. Le scan automatisé (DAST) offre une couverture large et fréquente et est idéal pour les tests continus dans le CI/CD ; le penetration testing manuel trouve les vulnérabilités de logique métier et complexes que les scanners manquent et produit la profondeur attendue par les auditeurs et les régulateurs. Combinez le scanning continu avec du penetration testing manuel périodique, et re-testez après des changements significatifs.
Liste de contrôle de conformité (Sécurité des applications)
- Inventaire des applications exposées sur Internet et des actifs exposés
- Applications web testées contre le Top 10 OWASP
- Applications mobiles testées par rapport à la liste OWASP Mobile Top 10
- All practicable security steps implemented and verified (DPP4)
- Processors held to equivalent security standards
- Les failles identifiées sont corrigées et retestées ; les enregistrements sont conservés
- Surveillance de l'exposition et du Dark Web en place
Why PDPO Compliance Matters
The PCPD can issue enforcement notices, and non-compliance can lead to fines and, for doxxing offences introduced in 2021, fines of up to HK$1,000,000 and up to 5 years' imprisonment. A breach also brings reputational damage in a major financial hub.
Because web and mobile applications are a leading breach vector, demonstrably securing and testing them is one of the clearest ways to satisfy DPP4 and reduce risk.